Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

MasterCard Offers Merchants Free Network Scans and Incentives for Using Authentication Service (11 January 2006)

MasterCard says it will reduce transactions charges for merchants using its SecureCode customer authentication service, which allows merchants to authenticate customers by having them enter a passcode that is known only by the customers and the issuing banks. MasterCard will also provide free network vulnerability scans for one IP address per merchant until June 2006. Network vulnerability scans are required under the Payment Card Industry Data Security Standard that took effect in July 2005. -http://www.computerworld.com/printthis/2006/0,4814,107659,00.html-http://www.mastercard.com/us/merchant/security/what_can_do/SDP/merchant/free_scan.html[Editor's Note (Schultz): Offering reduced transaction charges for using MasterCard's SecureCode authentication is a brilliant idea, as is offering free network scans. By taking these initiatives MasterCard is substantially reducing resistance to security measures; information security practitioners should note and imitate this approach whenever possible. (Pescatore): The Payment Card Industry Data Security Standard program needs more attention and investment from the Payment Card Industry than just giving out free single IP address vulnerability scans. Merchants and processors are frustrated by the lack of guidance and feedback from Visa and Mastercard on the issues around acceptable compensating controls when issues are found. While the PCI DSS approach is a good idea, the Payment Card industry's execution has been lacking. ]

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Ang Chiong Teck, a student at Singapore's Nanyang Technological University, has been sentenced to four months in prison for selling pirated copies of Microsoft software. The phony copies of software included forged certificates of authenticity. Ang's scheme was discovered when those who had purchased the software found they lacked the codes required to register the software online and download updates. When Ang was arrested, authorities confiscated S$20,000 (US$12,270) worth of pirated software in his possession. Ang was arrested in September, but his sentencing was delayed until December to allow him to finish his university examinations. -http://www.zdnet.co.uk/print/?TYPE=story&AT=39246559-39020651t-10000022csa

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Audit of Military User Accounts Finds Problems (10 January 2006)

An audit of US military computer user accounts found that as many as 20 percent of all accounts are unauthorized or inactive, with 3,000 in the Defense Information Systems Agency (DISA) alone. Inactive accounts are those abandoned when those to whom they were issued moved on to other positions; unauthorized accounts are those that were created with "unnecessary or unauthorized permissions." The existence of these accounts together with the fact that military systems experience slow patch distribution presents opportunities for malicious attackers to infiltrate military computer systems. -http://www.eweek.com/print_article2/0,1217,a=168898,00.asp[Editor's Note (Kreitner): Closing no longer needed user accounts is especially important in organizations like the military where there is so much personnel turnover, but this is a ubiquitous management failure--and a good candidate for a metric tracking the effectiveness over time of improved access management discipline. (Grefer): Exit procedures, independent of the reason (lay-off, promotion, cross-organizational move), should include a phased approach to dealing with the former accounts and privileges. Following an initial lockdown of said account, migrate the remaining data and privileges to a successor, substitute or surrogate and to subsequently disable or delete the account.]

SPYWARE, SPAM & PHISHING

Qwest has added a clause to its subscriber agreement, indicating that customers will be charged US$5 for each spam message sent from their computers if the spam sent results in damages awarded against Qwest. The fine would stand regardless of whether or not the customers are aware of the spam being sent, according to the new clause. However, a Qwest spokesperson said that the company would be unlikely to impose fines if a customer or end-user were the victim of malware that caused the computer to send out spam. -http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5116-http://www.qwest.com/legal/highspeedinternetsubscriberagreement/

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Symantec Fixes Flaw that Could Allow Malware to Hide (12 January 2005)

Kerzner International, owner of the Atlantis resort in the Bahamas, filed a document with the Bahamas Securities and Exchange Commission that included information about a data theft; personal data belonging to approximately 55,000 resort customers was among the information compromised in a database security breach. Atlantis hotel management is notifying those affected in writing and is offering them one year of credit monitoring service. The compromised information includes Social Security numbers and credit card and bank account details. -http://news.com.com/2102-7348_3-6025591.html?tag=st.util.print-http://www.pcworld.com/resource/article/0,aid,124339,pg,1,RSS,RSS,00.asp

STATISTICS, STUDIES & SURVEYS

2005 FBI Computer Crime Survey (11 January 2006)

According to the 2005 FBI Computer Crime Survey, 87 percent of those responding said their organizations had experienced a security incident. Ninety-eight percent of respondents said they used antivirus software; ninety percent said they used firewalls. The report found a "positive correlation between the number of security measures employed and the number of denial-of-service attacks" experienced. More than 79 percent of respondents said their organizations experienced problems with spyware. Some security incidents went unreported due to beliefs that there was no criminal activity involved in the incident, that the incident was too small to report and that law enforcement would not be interested in the incidents. The survey asked 23 questions of 2,066 organizations in New York, Iowa, Texas and Nebraska. -http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1157706,00.html?track=sy160[Editor's Note (Boeckman): This is a sad fact about the state of computer security today and serves as an indication that things are not improving much. The only thing worse is that the 13% that did not report an incident are probably just oblivious. ]===end===

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/